tpm-key_attestation 0.12.0 → 0.13.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: fe02507111938501d687c21a2a8461f086ca5ddd1b2d2f2715921a94ee249260
-  data.tar.gz: 3c7f0f3e79819bdd00e11febc517083320c40c8e4033c328654b64fe9eb88549
+  metadata.gz: c9e6f949c61e23e0614e570ac3eaeb2d1649d72af8681612cabe4df72b11c76b
+  data.tar.gz: d72f892493994557c4afb2547a9cfd78f9e75bd6a01b2d9026ad50028dc09c89
 SHA512:
-  metadata.gz: 0f77dbedcd721d3c06f6ec33a862f89c02360e913776a0c54847cf240b7af1d9ecde6b1bc1d2e1634b7342859bde36038a30aee8f1a85447a1afb494efd4506e
-  data.tar.gz: cac3351b83246f7c21f542a8c22043b99bdd73a7e218e25064f06785f173303f976aea9b2ffd13ac845e0f0155663543c74f3076f8c099b58db351ec4c823b0f
+  metadata.gz: be7db9415c8e0e3dc8182f3a5c5483ed410e70e2096552efc65426b92209df500057f34440006a16fa39a39121b47bd49987073a3588f029ed74267d38651d6d
+  data.tar.gz: a4aef2663a09171e1388db3ab116c5526766363e50beb5ac7b991988d2796c69527647ff9b49fa1863a9ff364ef4c5085cb5449abddc77d4e16347addd53bfe5

data/.github/workflows/build.yml

@@ -7,15 +7,24 @@
 
 name: build
 
-on: push
+on:  
+  push:
+    branches: [master]
+  pull_request:
+    types: [opened, synchronize]
 
 jobs:
   test:
-    runs-on: ubuntu-20.04
+    runs-on: ${{ matrix.os }}
     strategy:
       fail-fast: false
       matrix:
+        os:
+          - ubuntu-20.04
+          - windows-latest
+          - macos-13
         ruby:
+          - '3.3'
           - '3.2'
           - '3.1'
           - '3.0'
@@ -28,6 +37,7 @@ jobs:
           - openssl_2_1
           - openssl_3_0
           - openssl_3_1
+          - openssl_3_2
         exclude:
           - ruby: '2.4'
             gemfile: openssl_3_0
@@ -37,10 +47,46 @@ jobs:
             gemfile: openssl_3_1
           - ruby: '2.5'
             gemfile: openssl_3_1
+          - ruby: '2.4'
+            gemfile: openssl_3_2
+          - ruby: '2.5'
+            gemfile: openssl_3_2
+          - ruby: '2.6'
+            gemfile: openssl_3_2
+          - ruby: '3.1'
+            gemfile: openssl_2_2
+            os: macos-13
+          - ruby: '3.1'
+            gemfile: openssl_2_1
+            os: macos-13
+          - ruby: '3.2'
+            gemfile: openssl_2_2
+            os: macos-13
+          - ruby: '3.2'
+            gemfile: openssl_2_1
+            os: macos-13
+          - ruby: '3.2'
+            gemfile: openssl_2_2
+            os: windows-latest
+          - ruby: '3.2'
+            gemfile: openssl_2_1
+            os: windows-latest
+          - ruby: '3.3'
+            gemfile: openssl_2_2
+            os: macos-13
+          - ruby: '3.3'
+            gemfile: openssl_2_1
+            os: macos-13
+          - ruby: '3.3'
+            gemfile: openssl_2_2
+            os: windows-latest
+          - ruby: '3.3'
+            gemfile: openssl_2_1
+            os: windows-latest
     env:
       BUNDLE_GEMFILE: gemfiles/${{ matrix.gemfile }}.gemfile
     steps:
-    - uses: actions/checkout@v2
+    - uses: actions/checkout@v4
     - run: rm Gemfile.lock
     - uses: ruby/setup-ruby@v1
       with:

data/Appraisals

@@ -15,3 +15,7 @@ end
 appraise "openssl_3_1" do
   gem "openssl", "~> 3.1.0"
 end
+
+appraise "openssl_3_2" do
+  gem "openssl", "~> 3.2.0"
+end

data/CHANGELOG.md

@@ -1,5 +1,15 @@
 # Changelog
 
+## [v0.13.0] - 2025-01-21
+
+- Use public key from AIK cert for signature algorithm initalization [@santiagorodriguez96]
+- Support algorithm being ECC and pubArea's scheme parameter being TPM_ALG_NULL [@santiagorodriguez96]
+- Allow TPM:TPublic to handle ECC keys in pubArea correctly [@santiagorodriguez96]
+
+## [v0.12.1] - 2024-08-05
+
+- Fix loading trusted certificates on Windows. #20 & #21 [@johnnyshields], [@salmanasiddiqui]
+
 ## [v0.12.0] - 2022-07-05
 
 - Loose OpenSSL dependency to support 3.2 users. Credits to @stanhu <3
@@ -75,6 +85,7 @@ replacement of `JOSE` format `algorithm` string
 - `TPM::EKCertificate` wrapper
 - `TPM::SAttest` wrapper
 
+[v0.13.0]: https://github.com/cedarcode/tpm-key_attestation/compare/v0.12.1...v0.13.0/
 [v0.12.0]: https://github.com/cedarcode/tpm-key_attestation/compare/v0.11.0...v0.12.0/
 [v0.11.0]: https://github.com/cedarcode/tpm-key_attestation/compare/v0.10.0...v0.11.0/
 [v0.10.0]: https://github.com/cedarcode/tpm-key_attestation/compare/v0.9.0...v0.10.0/

data/Gemfile

@@ -5,7 +5,7 @@ source "https://rubygems.org"
 # Specify your gem's dependencies in tpm-key_attestation.gemspec
 gemspec
 
-gem "appraisal", "~> 2.2.0"
+gem "appraisal", "~> 2.5.0"
 gem "byebug", "~> 11.0"
 gem "rake", "~> 13.0"
 gem "rspec", "~> 3.0"

data/Gemfile.lock

@@ -1,7 +1,7 @@
 PATH
   remote: .
   specs:
-    tpm-key_attestation (0.11.0)
+    tpm-key_attestation (0.12.1)
       bindata (~> 2.4)
       openssl (> 2.0)
       openssl-signature_algorithm (~> 1.0)
@@ -9,37 +9,39 @@ PATH
 GEM
   remote: https://rubygems.org/
   specs:
-    appraisal (2.2.0)
+    appraisal (2.5.0)
       bundler
       rake
       thor (>= 0.14.0)
     ast (2.4.2)
-    bindata (2.4.14)
+    bindata (2.5.0)
     byebug (11.1.3)
-    diff-lcs (1.4.4)
-    jaro_winkler (1.5.4)
-    openssl (3.1.0)
-    openssl-signature_algorithm (1.2.1)
-      openssl (> 2.0, < 3.1)
-    parallel (1.20.1)
-    parser (3.0.0.0)
+    diff-lcs (1.5.1)
+    jaro_winkler (1.5.6)
+    openssl (3.2.0)
+    openssl-signature_algorithm (1.3.0)
+      openssl (> 2.0)
+    parallel (1.26.3)
+    parser (3.3.6.0)
       ast (~> 2.4.1)
-    rainbow (3.0.0)
-    rake (13.0.3)
-    rexml (3.2.4)
-    rspec (3.10.0)
-      rspec-core (~> 3.10.0)
-      rspec-expectations (~> 3.10.0)
-      rspec-mocks (~> 3.10.0)
-    rspec-core (3.10.1)
-      rspec-support (~> 3.10.0)
-    rspec-expectations (3.10.1)
+      racc
+    racc (1.8.1)
+    rainbow (3.1.1)
+    rake (13.2.1)
+    rexml (3.3.9)
+    rspec (3.13.0)
+      rspec-core (~> 3.13.0)
+      rspec-expectations (~> 3.13.0)
+      rspec-mocks (~> 3.13.0)
+    rspec-core (3.13.2)
+      rspec-support (~> 3.13.0)
+    rspec-expectations (3.13.3)
       diff-lcs (>= 1.2.0, < 2.0)
-      rspec-support (~> 3.10.0)
-    rspec-mocks (3.10.2)
+      rspec-support (~> 3.13.0)
+    rspec-mocks (3.13.2)
       diff-lcs (>= 1.2.0, < 2.0)
-      rspec-support (~> 3.10.0)
-    rspec-support (3.10.2)
+      rspec-support (~> 3.13.0)
+    rspec-support (3.13.2)
     rubocop (0.80.1)
       jaro_winkler (~> 1.5.1)
       parallel (~> 1.10)
@@ -48,15 +50,15 @@ GEM
       rexml
       ruby-progressbar (~> 1.7)
       unicode-display_width (>= 1.4.0, < 1.7)
-    ruby-progressbar (1.11.0)
-    thor (1.1.0)
+    ruby-progressbar (1.13.0)
+    thor (1.3.2)
     unicode-display_width (1.6.1)
 
 PLATFORMS
   ruby
 
 DEPENDENCIES
-  appraisal (~> 2.2.0)
+  appraisal (~> 2.5.0)
   byebug (~> 11.0)
   rake (~> 13.0)
   rspec (~> 3.0)
@@ -64,4 +66,4 @@ DEPENDENCIES
   tpm-key_attestation!
 
 BUNDLED WITH
-   2.2.8
+   2.5.23

data/gemfiles/openssl_2_1.gemfile

@@ -2,7 +2,7 @@
 
 source "https://rubygems.org"
 
-gem "appraisal", "~> 2.2.0"
+gem "appraisal", "~> 2.5.0"
 gem "byebug", "~> 11.0"
 gem "rake", "~> 13.0"
 gem "rspec", "~> 3.0"

data/gemfiles/openssl_2_2.gemfile

@@ -2,7 +2,7 @@
 
 source "https://rubygems.org"
 
-gem "appraisal", "~> 2.2.0"
+gem "appraisal", "~> 2.5.0"
 gem "byebug", "~> 11.0"
 gem "rake", "~> 13.0"
 gem "rspec", "~> 3.0"

data/gemfiles/openssl_3_0.gemfile

@@ -2,7 +2,7 @@
 
 source "https://rubygems.org"
 
-gem "appraisal", "~> 2.2.0"
+gem "appraisal", "~> 2.5.0"
 gem "byebug", "~> 11.0"
 gem "rake", "~> 13.0"
 gem "rspec", "~> 3.0"

data/gemfiles/openssl_3_1.gemfile

@@ -2,7 +2,7 @@
 
 source "https://rubygems.org"
 
-gem "appraisal", "~> 2.2.0"
+gem "appraisal", "~> 2.5.0"
 gem "byebug", "~> 11.0"
 gem "rake", "~> 13.0"
 gem "rspec", "~> 3.0"

data/gemfiles/openssl_3_2.gemfile

@@ -0,0 +1,12 @@
+# This file was generated by Appraisal
+
+source "https://rubygems.org"
+
+gem "appraisal", "~> 2.5.0"
+gem "byebug", "~> 11.0"
+gem "rake", "~> 13.0"
+gem "rspec", "~> 3.0"
+gem "rubocop", "~> 0.80.1"
+gem "openssl", "~> 3.2.0"
+
+gemspec path: "../"

data/lib/tpm/certify_validator.rb

@@ -44,7 +44,13 @@ module TPM
     end
 
     def valid_signature?(verify_key)
-      openssl_signature_algorithm = openssl_signature_algorithm_class.new(**openssl_signature_algorithm_parameters)
+      parameters = { hash_function: openssl_hash_function }
+
+      if verify_key.is_a?(OpenSSL::PKey::EC) || verify_key.is_a?(OpenSSL::PKey::EC::Point)
+        parameters[:curve] = verify_key.group.curve_name
+      end
+
+      openssl_signature_algorithm = openssl_signature_algorithm_class.new(**parameters)
       openssl_signature_algorithm.verify_key = verify_key
       openssl_signature_algorithm.verify(signature, info)
     rescue OpenSSL::SignatureAlgorithm::Error
@@ -55,16 +61,6 @@ module TPM
       @attest ||= TPM::SAttest.deserialize(info)
     end
 
-    def openssl_signature_algorithm_parameters
-      parameters = { hash_function: openssl_hash_function }
-
-      if public_area.ecc?
-        parameters[:curve] = public_area.openssl_curve_name
-      end
-
-      parameters
-    end
-
     def openssl_hash_function
       TPM_HASH_ALG_TO_OPENSSL[hash_algorithm] || raise("Unsupported hash algorithm #{hash_algorithm}")
     end

data/lib/tpm/key_attestation/version.rb

@@ -2,6 +2,6 @@
 
 module TPM
   class KeyAttestation
-    VERSION = "0.12.0"
+    VERSION = "0.13.0"
   end
 end

data/lib/tpm/key_attestation.rb

@@ -15,7 +15,8 @@ module TPM
       begin
         pattern = File.expand_path(File.join(__dir__, "certificates", "*", "RootCA", "*.*"))
         Dir.glob(pattern).map do |filename|
-          File.open(filename) { |file| OpenSSL::X509::Certificate.new(file) }
+          file = File.binread(filename)
+          OpenSSL::X509::Certificate.new(file)
         end
       end
 

data/lib/tpm/t_public.rb

@@ -4,6 +4,7 @@ require "bindata"
 require "openssl"
 require "tpm/constants"
 require "tpm/sized_buffer"
+require "tpm/tpms_ecc_point"
 require "tpm/t_public/s_ecc_parms"
 require "tpm/t_public/s_rsa_parms"
 
@@ -42,7 +43,7 @@ module TPM
     end
 
     choice :unique, selection: :alg_type do
-      sized_buffer TPM::ALG_ECC
+      tpms_ecc_point TPM::ALG_ECC
       sized_buffer TPM::ALG_RSA
     end
 
@@ -75,9 +76,13 @@ module TPM
     private
 
     def ecc_key
-      if parameters.scheme == TPM::ALG_ECDSA
+      case parameters.scheme
+      when TPM::ALG_ECDSA, TPM::ALG_NULL
         group = OpenSSL::PKey::EC::Group.new(openssl_curve_name)
-        point = OpenSSL::PKey::EC::Point.new(group, bn(ECC_UNCOMPRESSED_POINT_INDICATOR + unique.buffer.value))
+        point = OpenSSL::PKey::EC::Point.new(
+          group,
+          bn(ECC_UNCOMPRESSED_POINT_INDICATOR + unique.x.buffer.value + unique.y.buffer.value)
+        )
 
         # RFC5480 SubjectPublicKeyInfo
         asn1 = OpenSSL::ASN1::Sequence(

data/lib/tpm/tpms_ecc_point.rb

@@ -0,0 +1,12 @@
+# frozen_string_literal: true
+
+require "bindata"
+
+module TPM
+  class TpmsEccPoint < BinData::Record
+    endian :big
+
+    sized_buffer :x
+    sized_buffer :y
+  end
+end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: tpm-key_attestation
 version: !ruby/object:Gem::Version
-  version: 0.12.0
+  version: 0.13.0
 platform: ruby
 authors:
 - Gonzalo
 autorequire:
 bindir: exe
 cert_chain: []
-date: 2023-02-15 00:00:00.000000000 Z
+date: 2025-01-22 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: bindata
@@ -76,6 +76,7 @@ files:
 - gemfiles/openssl_2_2.gemfile
 - gemfiles/openssl_3_0.gemfile
 - gemfiles/openssl_3_1.gemfile
+- gemfiles/openssl_3_2.gemfile
 - lib/tpm/aik_certificate.rb
 - lib/tpm/certificates/AMD/RootCA/AMD-fTPM-ECC-RootCA.crt
 - lib/tpm/certificates/AMD/RootCA/AMD-fTPM-RSA-RootCA.crt
@@ -115,6 +116,7 @@ files:
 - lib/tpm/t_public/s_ecc_parms.rb
 - lib/tpm/t_public/s_rsa_parms.rb
 - lib/tpm/tpm2b_name.rb
+- lib/tpm/tpms_ecc_point.rb
 - lib/tpm/tpmt_ha.rb
 - tpm-key_attestation.gemspec
 homepage: https://github.com/cedarcode/tpm-key_attestation
@@ -139,7 +141,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.2.32
+rubygems_version: 3.5.11
 signing_key:
 specification_version: 4
 summary: TPM Key Attestation verifier